A security researcher discovered a flaw in Instagram’s website that left user contact information exposed for months, potentially allowing nefarious actors to create databases containing the phone numbers and email addresses of thousands.
David Stier, a data scientist and business consultant, earlier this year discovered an issue with Instagram’s website in which source code for some user profiles contained private contact information not made available on public-facing pages, reports CNET.
Citing archived versions of Instagram profiles dating back to October 2018, Stier believes thousands of accounts were impacted by the flaw, including pages belonging to private individuals, minors and businesses. The researcher informed Instagram of the problem in February and the company issued a patch in March.
As noted by CNET, the exposure presented a prime opportunity to collect sensitive information from the photo sharing service. It is postulated that bad actors were able to create vast databases of user contact information simply by scraping Instagram’s website source code during the four-month period in question.
One such list might already be in use. A report on Monday revealed an unsecured database maintained by Indian social media marketing firm Chtrbox leaked personal contact information tied to millions of Instagram influencer accounts, including users not affiliated with the company. An ensuing investigation found the database included 49 million records, a figure that continued to grow until the list was pulled from Amazon Web Services later that day.
Instagram is investigating both Stier’s report and the Chtrbox database.
“We’re looking into the issue to understand if the data described – including email and phone numbers – was from Instagram or from other sources,” Instagram owner Facebook said in a statement on Monday. “We’re also inquiring with Chtrbox to understand where this data came from and how it became publicly available.”
A year prior to the source code snafu, Instagram was embroiled in a similar privacy kerfuffle when hackers exploited a bug in the service’s developer API to glean phone numbers and email addresses attached to high-profile accounts.